WordPress Security

WordPress officially released the new version of stand-alone blog software. WordPress 2.8 is name Baker and fixed over 790 bugs. Below is a small video about the latest WordPress release.

Highlights

• New drag-and-drop widgets admin interface and new widgets API
• Syntax highlighting and function lookup built into plugin and theme editors
• Browse the theme directory and install themes from the admin
• Allow the dashboard widgets to be arranged in up to four columns
• Allow configuring the number of items to show on management pages with an option in Screen Options
• Support timezones and automatic daylight savings time adjustment
• Support IIS 7.0 URL Rewrite Module
• Faster loading of admin pages via script compression and concatenation

New Features

User Features

• New Theme Installer routines
• Add CodePress syntax highlighting to Theme and Plugin editors
• Add Documentation(function) lookup to Theme and Plugin editors
• Use “Custom Header” for menu text and revise Default theme to reflect change
• Separate Comments into a separate postbox, from Discussion postbox, on the Edit Post screen
• Make tags accessible without Javascript on the edit screen
• Don’t ask for confirmation when marking a comment as spam
• Don’t notify post author of own comments
• Fix comment paging for static front page
• Allow the dashboard widgets to be arranged in up to four columns as set via the Screen Options tab
• Make titles into links in Dashboard Right Now module (this was in 2.7.1)
• Improved Admin icons (grey-to-transparent shadows)
• Update Blue Admin Color Scheme
• Press This improvements UI, quoting fixes, plus ability for Contributors to use Press This
• Add a Cancel Upload button and a Delete link to Administration > Media > Add New
• Add column “Rating” in Administration > Links > Edit
• Improve installer to help people entering wrong email addresses
• Improved Widget user interface
• Allow editing of all plugin files (Ticket 6732)
• Improved Plugin search (this was in 2.7.1) on Administration > Plugins > Add New
• Per Page option for plugins
• Move “Install a plugin in .zip format” to new Upload tab under Administration > Plugins > Add New
• Show absolute date instead of relative date for scheduled posts
• Fix tags suggest for post quick edit and bulk edit
• Permalink editor changes and fix for pages
• Autosave post/page when pressing Control/Command+S
• Add toggle all button to the Gallery tab in the uploader
• Support more than one gallery on the same page
• Add per page option to Screen Options for comments, posts, pages, media, categories, and tags
• Overhaul of LiveJournal importer (also add define WP_IMPORTING)
• Import category descriptions for Administration > Tools > Import > WordPress
• Show Tools menu for all users so they can access Turbo
• Check for new version when visiting Administration > Tools > Upgrade
• In upgrade process, provide better explanation for database upgrade message
• Fix most popular link category list
• Add description field for Tags in Administration > Posts > Tags
• WAI-ARIA landmark roles to added to WordPress Default theme
• “Choose a city in the same timezone as you” for Timezone in Administration > Settings > General
• Remove My Hacks option from Administration > Settings > Miscellaneous
• Hide email addresses from low privilege users on Administration > Comments
• Allow case-insensitive logins
• Login and Registration pages noindex followed
• Give login screen proper iPhone viewport
• Enforce unique email addresses in Add/Edit users
• Make user_nicenames unique during registration
• Add “Send this password to the new user by email” option to Administration > Users > Add New
• Don’t set user’s Website url to http:// in Administration > Users > Add New
• Add password strength meter to Add User and Edit User
• Hide things that need to be available to screen readers via offscreen positioning
• Use invisible class for hiding labels and legends
• Use a semantic class name for text targeted to screen readers

Development, Themes, Plugins

• Improved database performance
• Drop post_category column from wp_posts table, and link_category column from wp_links schemas
• Fix delete statements to ensure data integrity when innodb and foreign keys are used
• Enforce consistent ID types to allow for foreign keys to be defined between tables
• Add Sticky to list of post states
• Add a filter to the post states list
• Introduction and widespread use of transient and related filters
• Add filters so AIM, Yahoo, and Jabber IM labels, in user profile, can be changed
• Add hook “after_db_upgrade”
• Add hooks for the Users, Categories, Link Categories, Tags and Comments table columns
• HTTP API updates and fixes
• Add support for blocking all outbound HTTP requests
• Updated List of HTTP status codes (Ticket 9297)
• Use SimplePie for widget and dashboard feeds
• Switch to pomo lib. Support gettext contexts. Deprecate long form functions
• TinyMCE 3.2.4.1
• Use Jcrop 0.9.8 for cropping
• Update pclzip to 2.8
• Update PHPMailer to 2.0.4
• Update SWFUpload to 2.2.0.1
• Improved performance for script loading
• Improved archive and calendar queries
• Cron spawning improvements
• Timezone enhancements for PHP 5
• Add WP_Widget class and move native widgets into WP_Widget
• Allow other taxonomies (e.g. post categories) to be used with wp_tag_cloud (Changeset 10554)
• Add echo argument to wp_tag_cloud()
• Allow a plugin to control how many posts are displayed on edit pages
• Add “style” and “html” arguments to wp_list_authors (Ticket 4420)
• Add “exclude_tree” argument to wp_list_categories and make exclude behave like exclude_tree when hierarchical is specified–this was actually a 2.7.1 change (Ticket 8614)
• New Template Tag, the_modified_author (Ticket 9154)
• Enhanced support for custom taxonomies
• Put page title before blog name in admin title (Ticket 9028)
• Use https://api.wordpress.org/secret-key/1.1/ for the WordPress.org secret-key service
• Various phpDoc updates
• Refactor filters to avoid potential XSS attacks
• XMLRPC improvements
• Improved mysql2date coding
• Make authentication more pluggable
• Switch to using the ID when calling get_avatar internally to support caching plugins
• Allow plugins to provide a canonical redirect_url even if WordPress does not provide its own
• Drafts have post_date populated now, so look for a zeroed out post_date_gmt to determine non-scheduled nature
• Fixes to query_posts (obey post_type, drop orderby=category, use group by for meta key queries, remove meta_value from selected fields)
• New orderby=none parameter for use with query_posts
• Allow a plugin to filter the classes applied in wp_list_pages()
• Functions (get_adjacent_post_rel_link() and adjacent_post_rel_link()) to display relational links for adjacent posts in the head (Ticket 8703)
• Add the sticky post grey background to the default theme
• Proxy support
• Let a plugin filter the expanded capabilities returned by map_meta_cap
• Allow the update period to be filtered in RSS/RDF feeds
• Store field types in wpdb object
• Add tag description functions tag_description and term_description
• Add page class to get_body_class()
• Deprecate get_catname()
• Use comments_open() and pings_open() in WordPress Default and Classic themes
• Add wp_trim_excerpt() filter
• Consolidate plugin/theme/core upgrade/install functions
• Add page-id-x class to body for pages
• Return empty list in wp_list_bookmarks() if requested bookmark category does not exist
• Allow menu reordering via plugin
• Add hook for updating user profile
• Add redirect argument to wp_loginout
• Add wp_lostpassword_url (Ticket 9932)
• Add get_the_author_meta() and the_author_meta() functions
• Deprecate the_author_ID, the_author_login, the_author_firstname, the_author_lastname, the_author_nickname, the_author_email, the_author_url, the_author_aim, the_author_yim, the_author_mns, the_author_description and all their “get_*()” functions. (The full list at wp-includes/deprecated.php)
• Let plugins use screen layout columns
• Add labels to titles and text inputs
• Add hook for adding info to plugin update message
• Don’t do core version check from front page loads
• Allow a plugin to vary the comment cookie lifetime (or even remove the cookies altogether)
• Allow plugin to replace just the default help while preserving the contextual help
• New escaping naming convention Ticket 9650
• Deprecate wp_specialchars() in favor of esc_html(). Encode quotes for esc_html() as in esc_attr(), to improve plugin security (ref. Development Updates)
• Deprecate sanitize_url() and clean_url() in favor of esc_url_raw() and esc_url() (ref. Development Updates)
• Add number/offset arguments to get_pages() (same parameters can be used for wp_list_pages()
• Make login more pluggable
• Add the_widget() function to output a generic widget anywhere in a template (Ticket 9701)
• Allow plugins to override tz support enable/disable
• Fix combining category and tag queries
• Support IIS 7.0 URL Rewrite Module
• Recognize Expression Web 2 as IIS
• Allow multiple search form templates
• Introduce sanitize_html_class() and use it to give categories, tags, users etc meaningful classnames where possible but fallback to the id if necessary (Ticket 8446)
• Allow a different role to be set for users when they are created in a call to wp_insert_user()
• Improve Filesystem method choice for ‘direct’; introduce FS_METHOD constant
• Add a hook in print_footer_scripts as in print_head_scripts
• Add a comment_moderation_headers filter
• Move upload_dir filter to before directory is created, so plugins can have a better effect
• Pass name to sidebar, footer, and header get actions
• Upgrader improvements, including move curl to last position and fockopen to 2nd position due to higher compatibility
• Updated Trac

Source: WordPress.org

As a long time WordPress user, I am happy to see the release of version 2.7. Mark Jaquith, wrote in his blog:

Without a doubt, my favorite new feature is comment moderation keyboard shortcuts. It has bothered me for a long time that comment moderation was such a tedious chore. Keyboard shortcuts (and the new inline reply) make it significantly less of a chore.

The new customizable post screen is a close second. I love that I can completely hide away all of the stuff that I don’t use (by clicking the “Screen Options” tab), and keep tags and categories on the right, while increasing the size of my post content box.

The new Publish module on the post screen is a personal treasure of mine. I took point on that, with some excellent design guidance from Jane Wells. It moves the “Save Draft” and “Publish” buttons far apart (a common complaint was that their proximity lead to accidental premature publishing. The Preview button now shows you the most recent changes to your post… not just the last saved version. Additionally, you can preview changes on published posts without those changes being shown publicly (until you’re ready). The Visibility section is new, and contains the functionality of private posts, password-protected posts, and sticky posts. Future posting is a lot more clear now. When you edit the time stamp to point to a future date, the “Publish” button becomes “Schedule.” All these changes were made to make your Publish module function predictably, so that you’re never wondering what happens when you click something.

The new menu system is great. I operate it in folded mode, so that my content can really take center stage.